MD5 vs SHA-1 vs SHA-256: Hashing Algorithms Compared

Cryptographic hash functions are the backbone of modern security. They power everything from password storage to blockchain consensus to software distribution verification. But with multiple algorithms available — MD5, SHA-1, SHA-256, SHA-512, SHA-3 — choosing the right one matters. A poor choice can leave your application vulnerable to real-world attacks.

What Are Cryptographic Hash Functions?

A cryptographic hash function takes an arbitrary-length input and produces a fixed-length output (the "digest"). A good hash function satisfies five key properties:

MD5 (Message Digest 5)

Designed by Ronald Rivest in 1992, MD5 produces a 128-bit (16-byte) hash, typically rendered as a 32-character hex string. For years it was the go-to hash function, but its security has been thoroughly compromised.

In 2004, researchers demonstrated practical collision attacks against MD5. By 2008, a team created a rogue CA certificate using MD5 collisions, proving real-world exploitability. Today, collisions can be generated in seconds on consumer hardware.

SHA-1 (Secure Hash Algorithm 1)

SHA-1 produces a 160-bit (20-byte) digest. It was the standard hash for SSL certificates, Git commits, and many other systems for nearly two decades.

The turning point came in 2017 with the SHAttered attack, where Google and CWI Amsterdam produced two different PDF files with the same SHA-1 hash. The attack required approximately 2⁶³ SHA-1 computations — enormous, but well within reach of nation-state actors and cloud computing budgets.

SHA-256 (SHA-2 Family)

SHA-256 is part of the SHA-2 family designed by the NSA and published by NIST. It produces a 256-bit (32-byte) digest and is the workhorse of modern cryptography. It powers TLS certificates, Bitcoin mining, code signing, and countless other applications.

No practical attacks exist against SHA-256. Theoretical collision resistance is 2¹²⁸ operations, which remains far beyond the reach of any foreseeable computing technology including quantum computers (Grover's algorithm would reduce this to 2¹²⁸ for pre-image, still infeasible).

SHA-512: When to Prefer Over SHA-256

SHA-512 is SHA-256's bigger sibling, producing a 512-bit (64-byte) digest. While both are in the SHA-2 family, SHA-512 has some surprising advantages:

• Faster on 64-bit processors: SHA-512 uses 64-bit arithmetic internally, making it faster than SHA-256 on modern 64-bit CPUs. Benchmarks often show SHA-512 being 30-50% faster.
• Larger security margin: 256-bit collision resistance vs SHA-256's 128-bit.
• SHA-512/256 truncation: You can use SHA-512 internally but truncate to 256 bits, getting SHA-512's speed with SHA-256's output size.

Prefer SHA-512 when processing large files on 64-bit systems, or when you need the extra security margin for long-lived data.

SHA-3 (Keccak): The Newest Standard

SHA-3 was standardized by NIST in 2015 after a public competition won by the Keccak algorithm. Unlike SHA-2 (which uses the Merkle-Damgård construction), SHA-3 uses a sponge construction, making it structurally different and resistant to any future attack that might target SHA-2's design.

SHA-3 is not a replacement for SHA-2 — rather, it's an insurance policy. If a weakness is ever found in SHA-2's construction, SHA-3 provides a ready alternative. In practice, SHA-256 remains the default choice for most applications. SHA-3 sees use in some blockchain protocols (Ethereum uses Keccak-256) and in systems that require algorithm diversity.

Algorithm Comparison

Password Hashing: Why Raw SHA-256 Is NOT Enough

This is one of the most critical misunderstandings in security. General-purpose hash functions like SHA-256 are designed to be fast. That's exactly what you don't want for passwords. A modern GPU can compute billions of SHA-256 hashes per second, making brute-force and dictionary attacks trivial.

Instead, use a purpose-built password hashing function that is intentionally slow and memory-intensive:

Real-World Applications

Choosing the Right Algorithm